GDPR Statement

StefSite acts as the data controller for personal data submitted through StefSite.com. For all GDPR matters, contact:

privacy@stefsite.com

We rely on the following lawful bases under Article 6 GDPR:

• Consent (Art. 6(1)(a)) — when you voluntarily submit your URL and email through our form to receive a redesign preview.
• Contract (Art. 6(1)(b)) — when we process data to deliver a paid website project to you.
• Legitimate interest (Art. 6(1)(f)) — for security logs, fraud prevention, and limited business outreach to publicly listed companies, where our interests don't override your rights.
• Legal obligation (Art. 6(1)(c)) — for invoicing, tax retention, and responding to lawful requests from authorities.

You have the following rights, free of charge:

• Right of access (Art. 15) — get a copy of the data we hold about you.
• Right to rectification (Art. 16) — have inaccurate data corrected.
• Right to erasure (Art. 17) — request deletion of your data.
• Right to restrict processing (Art. 18) — limit how we use your data.
• Right to data portability (Art. 20) — receive your data in a machine-readable format.
• Right to object (Art. 21) — object to processing based on legitimate interest.
• Right to withdraw consent (Art. 7(3)) — at any time, without affecting prior lawful processing.
• Right not to be subject to automated decisions (Art. 22) — we do not make legally significant decisions about you using automated processing.

Email privacy@stefsite.com with your request. To protect your data, we may ask you to confirm your identity. We respond within 30 days, as required by Article 12. If your request is complex, we may extend by an additional two months and notify you of the reason.

• Prospect submissions: 12 months
• Client project data: duration of relationship + 7 years (legal/tax retention)
• Server logs: 30 days
• Marketing emails: until you unsubscribe

Where personal data is transferred outside the European Economic Area — for example to AI providers based in the United States — we rely on the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and additional safeguards where required.

In the event of a personal data breach likely to result in a risk to your rights or freedoms, we will notify the competent supervisory authority within 72 hours and, if the risk is high, notify affected individuals without undue delay (Articles 33–34).

If you believe we've mishandled your data, you have the right to file a complaint with your local data protection authority. For Dutch residents, this is the Autoriteit Persoonsgegevens. A list of all EU authorities is available on the European Data Protection Board website.

As a small organization, we are not legally required to appoint a Data Protection Officer under Article 37. Privacy matters are handled directly by the founders. For any GDPR question, write to privacy@stefsite.com.